Story image

Chinese websites targeted in drive-by download attack that drops DDoS bot

27 Feb 2018

Chinese websites have recently been targeted by a drive-by download campaign that dropped a Distributed Denial of Service (DDoS) bot by the name of Avzhan, a malware that has been around since 2010.

The most recent attacks were spotted by Malwarebytes Labs researchers, who say that the bizarre patterns of this particular drive-by download were not advanced, but they did demonstrate the use of several different exploits to distribute malware.

“For years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China,” Malwarebytes researcher Jérôme Segura explains.

The researchers spotted the campaign after analysing compromised sites that loaded external content through iframes and scripts.

Some of those sites hosted cryptomining malware, however some redirects lead to a server that hosts several exploits.

Those exploits include three that target vulnerabilities in ActiveX, Flash Player and Internet Explorer.

The ActiveX vulnerability (CVE-2008-2551) is an old vulnerability that affects the C6 Messenger ActiveX control. The malware creator used old malware code and changed the download URL to point to their own malware.

The Flash vulnerability (CVE-2015-5119) is also an older vulnerability that affects all versions of flash up to version Malwarebytes researchers say this code was taken from a proof-of-concept and in this instance, causes instability in the browser which may cause it to crash.

The Internet Explorer vulnerability (CVE-2016-0189), also known as ‘God Mode’, was ‘commented out’, researchers explain.

All vulnerabilities were exploited to drop the Avzhan DDoS bot, which registers itself as a Windows Service.

Although researchers didn’t catch the bot in the act of conducting DDoS attacks, its capability is clearly evident in the code.

The malware has been lurking for several years but researchers say it is anything but sophisticated. It has not really changed – instead only modifications were made to hide the malware better and to add further configuration.

“Although we see the use of several exploits, we cannot call this an exploit kit—not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same,” Segura says.

“Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.”

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.